1 / 35

Review and Announcement

Review and Announcement. Ethernet Ethernet CSMA/CD algorithm Hubs, bridges, and switches Hub: physical layer Can’t interconnect 10BaseT & 100BaseT Bridges and switches: data link layers Wireless links and LANs 802.11 a, b, g. All use CSMA/CA for multiple access

tracic
Download Presentation

Review and Announcement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Review and Announcement • Ethernet • Ethernet CSMA/CD algorithm • Hubs, bridges, and switches • Hub: physical layer • Can’t interconnect 10BaseT & 100BaseT • Bridges and switches: data link layers • Wireless links and LANs • 802.11 a, b, g. • All use CSMA/CA for multiple access • Homework 4 due tonight so that TA can discuss it in recitation tomorrow • Final review in Thu. Class • Final 3/18 (Th) 12:00-1:30pm

  2. Network Security Overview • What is network security? • Principles of cryptography • Authentication • Access control: firewalls • Attacks and counter measures • Part of the final

  3. What is network security? Confidentiality: only sender, intended receiver should “understand” message contents • sender encrypts message • receiver decrypts message Authentication: sender, receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Access and Availability: services must be accessible and available to users

  4. Friends and enemies: Alice, Bob, Trudy • well-known in network security world • Bob, Alice (lovers!) want to communicate “securely” • Trudy (intruder) may intercept, delete, add messages Alice Bob data, control messages channel secure sender secure receiver data data Trudy

  5. Who might Bob, Alice be? • … well, real-life Bobs and Alices! • Web browser/server for electronic transactions (e.g., on-line purchases) • on-line banking client/server • DNS servers • routers exchanging routing table updates • other examples?

  6. There are bad guys (and girls) out there! Q: What can a “bad guy” do? A: a lot! • eavesdrop: intercept messages • actively insert messages into connection • impersonation: can fake (spoof) source address in packet (or any field in packet) • hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place • denial of service: prevent service from being used by others (e.g., by overloading resources) more on this later ……

  7. Overview • What is network security? • Principles of cryptography • Authentication • Access control: firewalls • Attacks and counter measures

  8. K K A B The language of cryptography Alice’s encryption key Bob’s decryption key symmetric key crypto: sender, receiver keys identical public-key crypto: encryption key public, decryption key secret (private) encryption algorithm decryption algorithm ciphertext plaintext plaintext

  9. Symmetric key cryptography substitution cipher: substituting one thing for another • monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq E.g.: Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc

  10. public key cryptography • radically different approach • sender, receiver do not share secret key • public encryption key known to all • private decryption key known only to receiver Public Key Cryptography symmetric key crypto • requires sender, receiver know shared secret key • Q: how to agree on key in first place (particularly if never “met”)?

  11. + K (m) B - + m = K (K (m)) B B Public key cryptography + Bob’s public key K B - Bob’s private key K B encryption algorithm decryption algorithm plaintext message plaintext message, m ciphertext

  12. K (K (m)) = m B B - + 1 2 Public key encryption algorithms Requirements: need K ( ) and K ( ) such that . . + - B B + given public key K , it should be impossible to compute private key K B - B RSA: Rivest, Shamir, Adelson algorithm

  13. Overview • What is network security? • Principles of cryptography • Authentication • Access control: firewalls • Attacks and counter measures

  14. Authentication Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0:Alice says “I am Alice” “I am Alice” Failure scenario??

  15. Authentication Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0:Alice says “I am Alice” in a network, Bob can not “see” Alice, so Trudy simply declares herself to be Alice “I am Alice”

  16. Alice’s IP address “I am Alice” Authentication: another try Protocol ap2.0:Alice says “I am Alice” in an IP packet containing her source IP address Failure scenario??

  17. Alice’s IP address “I am Alice” Authentication: another try Protocol ap2.0:Alice says “I am Alice” in an IP packet containing her source IP address Trudy can create a packet “spoofing” Alice’s address

  18. Alice’s password Alice’s IP addr “I’m Alice” Alice’s IP addr OK Authentication: another try Protocol ap3.0:Alice says “I am Alice” and sends her secret password to “prove” it. Failure scenario??

  19. Alice’s password Alice’s IP addr “I’m Alice” Alice’s IP addr OK Authentication: another try Protocol ap3.0:Alice says “I am Alice” and sends her secret password to “prove” it. Alice’s password Alice’s IP addr “I’m Alice” playback attack: Trudy records Alice’s packet and later plays it back to Bob

  20. encrypted password Alice’s IP addr “I’m Alice” Alice’s IP addr OK Authentication: yet another try Protocol ap3.1:Alice says “I am Alice” and sends her encryptedsecret password to “prove” it. Failure scenario??

  21. encrypted password Alice’s IP addr “I’m Alice” Alice’s IP addr OK Authentication: another try Protocol ap3.1:Alice says “I am Alice” and sends her encrypted secret password to “prove” it. encryppted password Alice’s IP addr “I’m Alice” record and playback still works!

  22. K (R) A-B Authentication: yet another try Goal:avoid playback attack Nonce:number (R) used only once –in-a-lifetime ap4.0:to prove Alice “live”, Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key “I am Alice” R Alice is live, and only Alice knows key to encrypt nonce, so it must be Alice! Failures, drawbacks?

  23. - K (R) A + + K K A A - - + (K (R)) = R K (K (R)) = R A A A Authentication: ap5.0 ap4.0 requires shared symmetric key • can we authenticate using public key techniques? ap5.0: use nonce, public key cryptography “I am Alice” Bob computes R and knows only Alice could have the private key, that encrypted R such that “send me your public key”

  24. Overview • What is network security? • Principles of cryptography • Authentication • Access control: firewalls • Attacks and counter measures

  25. public Internet administered network firewall Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall

  26. Firewalls: Why prevent denial of service attacks: • SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections. prevent illegal modification/access of internal data. • e.g., attacker replaces CIA’s homepage with something else allow only authorized access to inside network (set of authenticated users/hosts)

  27. internal network connected to Internet via router firewall router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits Packet Filtering Should arriving packet be allowed in? Departing packet let out?

  28. Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. All incoming and outgoing UDP flows and telnet connections are blocked. Packet Filtering

  29. Overview • What is network security? • Principles of cryptography • Authentication • Access control: firewalls • Attacks and counter measures

  30. src:B dest:A payload Internet security threats Packet sniffing: • broadcast media • promiscuous NIC reads all packets passing by • can read all unencrypted data (e.g. passwords) • e.g.: C sniffs B’s packets C A B Countermeasures?

  31. src:B dest:A payload Internet security threats Packet sniffing: countermeasures • all hosts in organization run software that checks periodically if host interface in promiscuous mode. C A B

  32. src:B dest:A payload Internet security threats IP Spoofing: • can generate “raw” IP packets directly from application, putting any value into IP source address field • receiver can’t tell if source is spoofed • e.g.: C pretends to be B C A B Countermeasures?

  33. src:B dest:A payload Internet security threats IP Spoofing: ingress filtering • routers should not forward outgoing packets with invalid source addresses (e.g., datagram source address not in router’s network) • great, but ingress filtering can not be mandated for all networks C A B

  34. SYN SYN SYN SYN SYN SYN SYN Internet security threats Denial of service (DOS): • flood of maliciously generated packets “swamp” receiver • Distributed DOS (DDOS): multiple coordinated sources swamp receiver • e.g., C and remote host SYN-attack A C A B Countermeasures?

  35. SYN SYN SYN SYN SYN SYN SYN Internet security threats Denial of service (DOS): countermeasures • filter out flooded packets (e.g., SYN) before reaaching host: throw out good with bad • traceback to source of floods (most likely an innocent, compromised machine) C A B

More Related